All, I would like to take this opportunity to point folks to the OMG Healthcare Domain Task Force Resource Access Decision (RAD) specification as a formal computational model that can and is being used in large health care enterprises. The demanding part of the enterprise is the cumulative agreement on identifying what policies are necessary within the environment.
The RAD standard provides several mechanisms for creating polices such as attributes, timed rules, etc. It also provides the ability to assign users and associate policies with users as well as with (computational) operations. You may find the full specification here: http://www.omg.org/cgi-bin/doc?formal/2001-04-01 What would be nice to see happen in the Healthcare standards is to define standard policies such as: 1) "Review Sensitive Patient Information" 2) "Order Sensitive Laboratory Tests" etc This would ease interoperability between facilities where clinicians must access information from a variety of systems in order to make diagnosis etc. Tom _______________________________________________________ <http://www.2ab.com/>2AB, Inc. 1700 Highway 31 Calera, Alabama 35040 205-621-7455 ext 107 _____________________<http://www.2ab.com/ilock_ss.htm>iLock & <http://www.2ab.com/orb2.htm>orb2________________________ "Trusted Solutions for Distributed Business" Confidentiality Notice: This Email message and its attachments are for the sole use of the intended recipients. Any unauthorized review, use, disclosure or distribution is prohibited. At 11:19 PM 11/5/03 +1000, Thomas Beale wrote: >This message forwarded on behalf of Prof Bernard Cohen: > > > > > > Merely providing the mechanisms for access control will not suffice. > > > That was the basis of Ross Anderson's withering attack on the NHS > network, > > on > > > behalf of the BMC, that led to a great deal of embarrassment for the NHS > > > and the UK government. > > > The hard part is to define a security policy model that: > > > -- is provably adequate with respect to the relevant legislative and > > ethical > > > environments; > > > -- is demonstrably implementable by the technical and social > > infrastructure; > > > -- comes complete with compliance checks that are necessary and > sufficient > > for > > > validating any proposed implementation. > > > As far as I know, my preliminary paper on this matter > > > (http://www.soi.city.ac.uk/~bernie/hsp.pdf), incomplete though it is, is > > the > > > only work done in this area. As you'll see, it requires a degree of > > semantic > > > formalisation that is beyond the scope of any of the currently proposed > > EPR > > > standards, GEHR included. The fact that this degree of formalisation is > > also > > > beyond the comprehansion of most of the stakeholders is irrelevant. You > > don't > > > have to understand computational fluid dynamics to use a weather > forecast. > > > > > > Quoting Thomas Beale <thomas at deepthought.com.au>: > > > > > > > "Bennett Quinn" <bnq at bneq.net>, > > > > > > > > > What is the proposed confidentiality model? > > > > > > > > > > >-- >__ >Prof Bernard Cohen, Dept of Comp Sc, City Univ, Northampton Sq. >London EC1V 0HB tel: ++44-20-7040-8448 fax: ++44-20-7040-8587 >b.cohen at city.ac.uk WWW: http://www.soi.city.ac.uk/~bernie >"Patterns lively of the things rehearsed" > >---------------------------------------------------------------- >This message was sent using IMP, the Internet Messaging Program. > >-- >Ocean Informatics: http://www.OceanInformatics.biz >Deep Thought: http://www.deepthought.com.au >openEHR: http://www.openEHR.org > > > >- >If you have any questions about using this list, >please send a message to d.lloyd at openehr.org -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.openehr.org/mailman/private/openehr-technical_lists.openehr.org/attachments/20031105/516d8788/attachment.html>
